A Misconfigured Firewall Exposed the Data of Hundreds of Thousands of Gearbest Customers
Noam Rotem is half of the duo of security researchers that recently discovered the data leak affecting the users of a Middle Eastern Caller ID application. In early March, he was called in to help investigate another potential exposure which a team of researchers from vpnMentor had come across.
Rotem was asked to take a look at an Elasticsearch server. Elasticsearch is a database management system that companies use to organize and search through customers' information. Sometimes, Elasticsearch servers don't need to be connected to the World Wide Web, and sometimes, they do. They always need to be protected, though, and the one vpnMentor had found wasn't.
The server belonged to Gearbest, a Chinese online retailer that sells everything from makeup to 3D printers. The shopping site has been around for close to five years, and it seems to be quite popular, which, considering the fact that it's exposed customer data, is a worry.
Three databases and tons of sensitive information exposed
As we'll see in a minute, there's a bit of a debate around the exact number of affected customers. What is under no dispute is that the exposed data is almost as varied as the products Gearbest sells. Rotem and the vpnMentor team found a total of three databases:
- The order database contained names, emails, phone numbers, shipping addresses, and information on the products customers had purchased.
- The payment database was full of email and IP addresses, order numbers, and payment information.
- The members database stored passwords, addresses, dates of birth, phone numbers, emails, IPs, ID and passport information.
As Rotem noted when he first analyzed the data, the exposure of order details could land some people in trouble. The purchase of adult toys in certain countries, for example, can have serious legal repercussions, and he did see orders of this exact nature. Furthermore, the databases held information that could easily be used for identity theft, and worryingly, most of the data (including people's passwords) was not encrypted in any way.
Researchers try to inform Gearbest
Rotem and the vpnMentor team "repeatedly" tried to get in touch with Gearbest and let the Chinese retailer know what's going on, but they didn't get a reply. Then, the researcher asked TechCrunch's Zack Whittaker for help, but even the name of a high-profile tech publication wasn't enough to elicit a response from Gearbest. In the end, vpnMentor and TechCrunch felt like they had no other choice but to publicly break the news. All of a sudden, Gearbest was all ears.
Gearbest responds at last
On March 15, just hours after Rotem and Whittaker's posts went out, Gearbest used its Facebook page to issue a formal statement. According to it, Gearbest's servers have not been affected. Apparently, what Rotem and his team found were some "external tools" that the online shop uses to organize the data more efficiently. Allegedly, the affected tools store the information of newly registered users only, and they apparently hold it for just three days. On March 1, a member of Gearbest's security team "mistakenly" took down the firewall protecting the information which is how it became available to the whole world.
Although Rotem saw a grand total of 1.5 million records in the exposed databases, Gearbest's initial calculations suggested that in total, about 280 thousand users are affected. Two days later, this number was revisited.
A second Facebook update from March 17 attempted to shed more light on the situation. It said that the Elasticsearch server was first exposed in early 2019 when in an attempt "to reduce network jitter", Gearbest's IT team changed the configuration of some of its backend infrastructure. They didn't know it at the time, but the new settings meant that the firewall would automatically deactivate itself every now and then. On March 1, after some more tweaking, the firewall was permanently turned off, and the information was left out in the open. As a result of this new discovery, Gearbest estimated that the records of around 570 thousand individuals could have been exposed, but they pointed out that they have seen no evidence of anyone scraping or abusing the information.
The server was taken offline as soon as the news broke, and a Gearbest representative called Noam Rotem to thank him and his team for their work. Rotem asked them why they failed to act initially, and although he got no specific reasons, he was told that the Chinese retailer has determined who is responsible for handling security notifications. It looks like someone is about to face the music, which is probably just as well because Gearbest's reaction (or lack thereof) to the whole thing shows that the online shop was not very well prepared to respond to a security incident. Here's hoping that the lessons have now been learned.